b'             OFFICE OF INSPECTOR GENERAL\n\n\n                    FISCAL YEAR 2012 EVALUATION OF\n\n                        NEA\xe2\x80\x99S COMPLIANCE WITH THE\n\n                   FEDERAL INFORMATION SECURITY\n\n                            MANAGEMENT ACT OF 2002\n\n                                     REPORT NO. R-13-01\n\n\n                                         December 17, 2012\n\n\n\n\n                                    REPORT RELEASE RESTRICTION\n\nIn accordance with Public Law 110-409, The Inspector General Act of 2008, this report shall be posted on the National\nEndowment for the Arts (NEA) website not later than three (3) days after it is made publicly available with the\napproval of the NEA Office of Inspector General. Information contained in this report may be confidential. The\nrestrictions of 18 USC 1905 should be considered before this information is released to the public. Furthermore,\ninformation contained in this report should not be used for purposes other than those intended without prior\nconsultation with the NEA Office of Inspector General regarding its applicability.\n\x0c                               INTRODUCTION\n\nThe Federal Information Security Management Act of 2002 requires an annual evaluation\nby the Office of Inspector General on its agency\xe2\x80\x99s information security programs and\npractices. This report presents the results of our evaluation of National Endowment for\nthe Arts\xe2\x80\x99 (NEA) information security program and practices for protecting its information\ntechnology infrastructure.\n\n\n                                 BACKGROUND\nThe Federal Information Security Management Act (FISMA) of 2002 was signed into law\non December 17, 2002. It replaced the Government Information Security Reform Act\n(GISRA), which expired in November 2002. The Act requires each federal agency to\ndevelop, document, and implement an agency-wide information security program to\nprovide information security over the operations and assets of the agency. This includes:\n\n   \xe2\x80\xa2   Periodic risk assessments;\n   \xe2\x80\xa2   Policies and procedures that are based on risk assessments;\n   \xe2\x80\xa2   Subordinate plans for providing adequate information security for networks,\n       facilities, information systems, or groups of information systems, as appropriate;\n   \xe2\x80\xa2   Security awareness training to inform employees (including contractors) of the\n       security risks associated with their activities and their responsibilities to comply\n       with those agency policies and procedures designed to reduce those risks;\n   \xe2\x80\xa2   Periodic testing and evaluation of the effectiveness of information security\n       policies;\n   \xe2\x80\xa2   A process for planning, implementing, evaluating, and documenting remedial\n       action to address any deficiencies in the information security policies, procedures,\n       and practices, of the agency;\n   \xe2\x80\xa2   Procedures for detecting, reporting, and responding to security incidents; and\n   \xe2\x80\xa2   Plans and procedures to ensure continuity of operations of the agency\xe2\x80\x99s\n       information systems.\n\nOffice of Management and Budget (OMB) Memorandum M-12-20, dated September 27,\n2012, entitled FY[Fiscal Year] 2012 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management, updates instructions to\nSenior Agency Officials for Privacy, Chief Information Officers and Inspectors General\nfor reporting their 2012 information to OMB.\n\nThe National Institute of Standards and Technology (NIST), which has the responsibility\nfor developing technical standards and related guidance, has issued numerous\npublications including NIST Publication 800-12 An Introduction to Computer Security:\nThe NIST Handbook. This publication explains important concepts, cost considerations,\nand interrelationships of security controls as well as the benefits of such controls. NIST\n                                            2\n\x0calso has published a Guide for Developing Security Plans for Information Technology\nSystems; Special Publication 800-37, Guide for the Security Certification and\nAccreditation of Federal Information Systems; Special Publication 800-53,\nRecommended Security Controls for Federal Information Systems; and FIPS PUB 199,\nStandards for Security Categorization of Federal Information and Information Systems.\nIn addition, guidance is found in the Government Accountability Office publication,\nFederal Information System Controls Audit Manual.\n\nNEA\xe2\x80\x99s Office of Information and Technology Management (ITM) maintains and\noperates two of the agency\xe2\x80\x99s three core systems on a local area network). These are the\nGrants Management System, which contains information on grant applications and the\nAutomated Panel Bank System, which contains information on panelists who review\ngrant applications. ITM also operates support systems for internet and intranet services.\n\nNEA has contracted with the Department of Transportation (DOT) Enterprise Service\nCenter to host its Financial Management System through DOT\xe2\x80\x99s Delphi Financial\nManagement System and the U.S. Department of Agriculture National Finance Center\nfor payroll services. NEA has also contracted with other providers for email, grant\napplication process and its personal identity verification(PIV) program.\nThe Chief Information Officer (CIO) is responsible for developing policies and\nprocedures to ensure that security is provided over all NEA\xe2\x80\x99s networks.\n\n                         OBJECTIVE AND SCOPE\nThe objective of the evaluation was to determine the adequacy of NEA\xe2\x80\x99s information\ntechnology (IT) security program and practices. This included a review of NEA\xe2\x80\x99s IT\nsecurity policies and procedures and privacy management program. It also included\ninterviews with responsible agency officials managing the IT systems and tests on the\neffectiveness of security controls.\n\n\n         PRIOR EVALUATION AND OTHER REPORTS\nWe reviewed prior evaluation reports on NEA\'s FISMA compliance, information\ntechnology security program and any follow-up documentation to determine the status of\nprior recommendations. Details are presented below:\n\nFiscal Year 2011 Evaluation of NEA\xe2\x80\x99s Compliance with the Federal Information\nSecurity Act of 2002 (Report No. R-12-01) dated November 15, 2011.\n\nNEA has implemented corrective actions for eight of the eleven recommendations. NEA\nis in the process of implementing corrective actions to address the remaining three\nrecommendations in the report.\n\n       1.      Implement corrective actions for recommendations in the Risk Assessment\n               Reported issued September 23, 2011 by EmeSec.\n\n                                             3\n\x0c        2.     Develop and implement written policies and procedures to ensure that it\n               establishes an Information System Contingency Plan in compliance with\n               NIST SP 800-34, Revision 1.\n        3.     Establish and maintain a security capital planning and investment control\n               process program for information security.\n\nReview of NEA\xe2\x80\x99s Control Over Computer-Related Equipment, Report No. R-11-02,\ndated January 25, 2011\n\nThe review of NEA\'s control over computer-related equipment was to determine whether\nNEA was processing and reporting computer security incidents in accordance with its\npolicies and federal guidance. The report contained eleven recommendations from the\nOIG, all of which NEA has implemented corrective actions.\n\nRisk Assessment Report conducted by EmeSec Information Assurance, dated\nSeptember 23, 2011\n\nNEA contracted with EmeSec Information Assurance to review and assess the security\narchitecture supporting NEA\xe2\x80\x99s enterprise network to meet certification and accreditation.\nThe assessment included reviewing and examining documentation including policies,\nprocedures and plans for compliance with FISMA requirements, OMB policies and\napplicable NIST guidelines. EmeSec also tested security controls by conducting specific\nvulnerability assessment and penetration testing on the system network and applications\nand NEA\xe2\x80\x99s compliance with Federal Desktop Core Configuration. EmeSec stated in its\nreport that "implementing a consistently improving Security Program is a two to five year\nprocess." NEA is in the process of implementing corrective actions to address the\nrecommendations in the report.\n\nAs part of our evaluation, we also obtained technical assistance from the International\nTrade Commission, Office of Inspector General (ITC OIG). An ITC OIG staff\nmember with technical expertise was assigned to conduct a high-level, independent\nreview of NEA\xe2\x80\x99s computer information security program. Specifically, the staff\nmember performed penetration and patch testing and will provide a report of the\nresults under separate cover to the NEA OIG.\n\n                          EVALUATION RESULTS\nIn March 2012, the Department of Homeland Security (DHS) issued a checklist for use\nby Offices of Inspectors General to assess the level of performance achieved by agencies\nin specific program areas during the FY 2012 FISMA evaluation period. The specific\nprogram areas to be assessed were:\n\n   1.   Continuous Monitoring\n   2.   Configuration Management\n   3.   Identity and Access Management\n   4.   Incident Response and Reporting\n                                            4\n\x0c   5. Risk Management\n   6. Security Training\n   7. Plan of Action & Milestones\n   8. Remote Access Management\n   9. Contingency Planning\n   10. Contractor Systems\n\nThe FY 2012 FISMA evaluation concluded that NEA has established a security program\nfor protecting its IT infrastructure and is compliant with FISMA legislation. We\ndetermined that all of the specific program areas met the level of performance as\nindicated in DHS\xe2\x80\x99s FY 2012 FISMA checklist. This report presents our completed DHS\nchecklist for NEA. (Attachment A)\n\nAlthough, we did not identify any material weaknesses in the program areas, we did\nidentify areas for improvement in the following programs:\n\n   1. Identity and Access Management\n   2. Risk Management\n\nIdentity and Access Management\nFederal Personal Identity Verification Program\n\nNEA has established and is maintaining a program for identity and access management.\nHowever, NEA has not developed a policy as to how the agency will implement the use\nof the Federal PIV smartcard credentials as the common means of authentication for\naccess to the agency\'s networks and information systems.\n\nHomeland Security Presidential Directive 12 (HSPD-12), Policy for a Common\nIdentification Standard for Federal Employees and Contractors, was issued on\nAugust 12, 2004. HSPD-12 requires a mandatory, government-wide standard for secure\nand reliable forms of -identification, issued by the federal government to its employees\nand employees of federal contractors, for access to federally-controlled facilities and\nnetworks. Based upon this directive, the NIST developed Federal Information Processing\nStandards Publication 201, which includes minimum requirements for a Federal PIV\nsystem. Subsequently, additional implementation guidance was issued by DHS, OMB\nand NIST.\n\nOMB Memorandum M-11-11, Continued Implementation of Homeland Security President\nDirective 12 - Policy for a Common Identification Standard for Federal Employees and\nContractors, dated February 3, 2011, further discusses the implementation of HSPD-12. It\nincluded a memorandum from Homeland Security, which directed each agency to develop\nand issue an implementation policy by March 31, 2011, through which the agency will\nrequire the use of the PIV credentials as the common means of authentication for access to\nthat agency\xe2\x80\x99s facilities, networks, and information systems. To be effective in achieving the\n\n\n                                             5\n\x0cgoals of HSPD-12, and realizing the full benefits of PIV credentials, the memorandum\nincluded certain requirements for the agency\xe2\x80\x99s implementation policy.\n\nNEA is compliant with the requirement for the use of PIV smartcard credentials for\nphysical access and during FY 2012 NEA issued new computer systems to employees\nwhich can enable the use of the PIV smartcard. However, NEA has not implemented the\nuse of the PIV smartcard credentials for access to its networks and information systems.\n\nRecommendation\n\nNEA should develop an implementation policy to require the use of PIV smartcard\ncredentials for logical access to its networks as directed by HSPD-12. In addition, NEA\nshould implement the use of the PIV smartcard credentials for access to its network and\ninformation systems.\n\nRisk Management\nEncryption of Data on Mobile Computers/Devices\n\nOverall, NEA has established and is maintaining a risk management program that is\nconsistent with FISMA requirements, OMB policies and applicable NIST guidelines.\nHowever, during our evaluation, we identified an area for improvement to its information\nsecurity program.\n\nDuring FY 2011, we evaluated NEA\'s control over computer-related equipment. As a\nresult of the review, the Information Systems Security Officer (ISSO) submitted seven\nrecommendations to the CIO which were included in the OIG\'s final report entitled,\nReview of NEA\xe2\x80\x99s Control Over Computer-Related Equipment, Report No. R-11-02. We\nreviewed the corrective actions for the ISSO\'s recommendations and determined that six\nof the seven recommendations were implemented. However, we do not believe that the\ncorrective action implemented for Recommendation No. 1, regarding encryption of\ninformation on all mobile computers/devices, meets the intent of OMB guidance. OMB\nMemorandum M-06-16, Protection of Sensitive Agency Information, dated June 23,\n2006, states:\n\n       All departments and agencies "encrypt all data on mobile computers/devices which\n       carry agency data unless the data is determined to be non-sensitive, in writing, by your\n       Deputy Secretary or an individual he/she may designate in writing."\n\nNEA implemented the Microsoft Windows 7 Encryption File System method. However,\nthis method does not encrypt all data automatically. Only files and folders, selected by\nthe user can be encrypted. Encryption must be activated or de-activated by the user.\nTherefore, the agency must rely on users to encrypt agency data, which could also\ninclude personally identifiable information (PII). Agency data and PII continue to be at\nrisk if users simply choose not to encrypt data. Lastly, there are no policies and\nprocedures in place that require employees to encrypt data on mobile computers/devices.\n\n                                               6\n\x0cRecommendation\n\nNEA should implement an automatic encryption method which includes all data on all\nmobile computers/devices that carry agency information to ensure PII and sensitive\ninformation is not compromised. NEA should also develop and implement policies and\nprocedures requiring the encryption of all data on mobile computers/devices.\n\n\n                            EXIT CONFERENCE\nWe provided a draft copy of this report to NEA ITM officials on December 5, 2012. The\nofficials concurred with our findings and recommendations and agreed to initiate\ncorrective actions.\n\n\n                          RECOMMENDATIONS\nWe recommend that the National Endowment for the Arts, Office of Information and\nTechnology Management:\n\n1.     Develop an implementation policy to require the use of PIV smartcard credentials\n       for logical access to its networks as directed by HSPD-12.\n\n2.     Implement the use of the PIV smartcard credentials for access to its network and\n       information systems.\n\n3.     Implement an automatic encryption method which includes all data on all mobile\n       computers/devices that carry agency information to ensure PII and sensitive\n       information is not compromised.\n\n4.     Develop and implement policies and procedures requiring the encryption of all\n       data on mobile computers/devices.\n\n\n\n\n                                           7\n\x0c'